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TITLE 

SECURITY METHOD FOR OPERATOR ACCESS CONTROL OF 
NETWORK MANAGEMENT SYSTEM 

CLAIM OF PRIORITY 
[0001] This application makes reference to, incorporates the same herein, and claims all benefits 
accruing under 35 U.S.C. §119 from an application for SECURITY METHOD FOR OPERATOR 
ACCESS CONTROL OF NETWORK MANAGEMENT SYSTEM earlier filed in the Korean 
Intellectual Property Office on 1 9 February 2003 and 29 May 2003, there duly assigned Serial Nos. 
2003-10509 & 2003-34534, respectively. 



BACKGROUND OF THE INVENTION 
Technical Field 

[0002] The present invention relates to a security method for operator access control of a 
network management system, which enables effecting access control without changing a version 
of a system application protocol. 



Related Art 

[0003] Currently, most network devices associated with networks including the Internet use a 
network management protocol based on a Simple Network Management Protocol (SNMP) to 
manage the networks and monitor operations of the network devices. The SNMP is the most 
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general network management protocol, and has been updated into versions, SNMPvl, SNMPv2 
and SNMPv3 with greatly improved functions. Most of the network systems are adapted to serve 
an Element Management System (EMS) based on a Graphic User Interface (GUI) that uses such 
an SNMP, and a Command Line Interface (CLI) that directly receives and processes a command 
via an extemal terminal. 

[0004] As the SNMP used in the network management system configured as above, SNMPvl , 
SNMPv2 and SNMPv3 have been introduced in this order. Both SNMPvl and SNMPv2, mainly 
use an access restriction method of checking "read-only"/"read- write" communities, while in case 
of SNMPv3, a security module is present in the protocol. 

[0005] The community implies a specification of a password system, which is defined between 
a manager and an agent. 

[0006] For example, a typical community in each of the SNMPvl and SNMPv2 is used as a 
"public" community in case of a "read-only" and a "private" commimity in case of "read-write". 
Moreover, these conmiunities in certain systems are hard coded, which makes it difficult to modify 
the communities. A security problem with such systems could arise when unauthorized users can 
access the network management system due to the exposure of a conmiimity password. 

SUMMARY OF THE INVENTION 
[0007] Therefore, the present invention has been made in view of the above problems, and it is 
an object of the present invention to provide a method for effecting access control without 
changing a currently used version of a system application protocol. 
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1 [0008] According to the present invention, there is provided a security method for operator 

2 access control of a network management system, the method comprising performing an IP (Internet 

3 Protocol) filtering to enable an external operator to determine whether or not an IP address of the 

4 operator is a preset IP address using one of a TCP/IP (Transmission Control Protocol/Intemet 

5 protocol) or a UDP/IP (User Datagram Protocol/Internet protocol); and connecting the extemal 

6 operator to a communication system by inputting an ID/ password or by setting communities upon 

7 a determination that the IP address of the operator is a preset IP address. 

8 BRIEF DESCRIPTION OF THE DRAWINGS 

9 [0009] A more complete appreciation of the invention, and many of the attendant advantages 

10 thereof, will be readily apparent as the same becomes better understood by reference to the 

1 1 following detailed description when considered in conjunction with the accompanying drawings 

12 in which like reference symbols indicate the same or similar components, wherein: 

13 [0010] FIG. 1 is a block diagram of a network management system using a simple network 

14 management protocol (SNMP) and CLI (TLl) that is applied to the present invention; 

15 [0011] FIG. 2 is a diagram explaining a network management system in connection with a 

16 disadvantageous OSI reference model; 

1 7 [0012] FIG. 3 is a diagram explaining a network management system in connection with an OSI 

18 reference model according to according to an embodiment of the present invention; 

19 [0013] FIG. 4 is a diagram illustrating an instance of a filtering table organized using an MIB 

20 defined according to an embodiment of the present invention; and 
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[0014] FIG. 5 is a flowchart of a security process for an operator access restriction in a network 
management system according to an embodiment of the present invention. 

DETAILED DESCRIPTION 
[0015] FIG. 1 is a block diagram of a network management system using a simple network 
management protocol (SNMP) and CLI (TLl) that is applied to an embodiment of the present 
invention, and FIG. 2 is a diagram explaining a network management system in connection with 
a disadvantageous OSI reference model. 

[0016] Referring to Fig. 1 , a network management interface provided by a system 1 00 includes 
a "TLl/CLI (Transaction Language 1/Command Line Interface) 1 10" and an "SNMP agent 120". 
The system will manage a configuration, an alert, a performance, etc. of the system via such 
management channels. 

[0017] In case of the TLl 1 1 0, the TLl may manage the system 1 00 through direct connection 
to external consoles 200 by means of serial ports, and may also remotely manage the system with 
a telnet 400 over a public network 300. 

[0018] Meanwhile, the SNMP agent 120 is connected to and uses an EMS (Element 
Management System) server 500 over the public network 300 using UDP (User Datagram 
ProtocoiyiP. Altematively, an OSI (Open Systems Interconnection) CLNP (Connectionless 
Network Protocol) may be used . 

[0019] The TLl 110 and the SNMP agent 120 fetch or modify desired data from OAMP 
(Operations Administration Maintenance Provisioning) 130 over IPC (InterProcess 
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1 Commxmication), respectively. 

2 [0020] Referring to Fig. 2, a telnet terminal 400 or an EMS server 500 is connected to a data link 

3 layer via a physical layer so as to have access to an application layer (SNMP/telnet/TFTP: Trivial 

4 File Transfer Protocol) in a TCP/IP manner or in an UDP/IP manner. 

5 [0021] An embodiment of the present invention is described herein below with reference to the 

6 accompanying drawings. In the following description, well-known functions or constructions are 

7 not described in detail since they would obscure the invention with unnecessary detail. 

8 [0022] A configuration of a network management system using a simple network management 

9 protocols (i.e., SNMP) and CLI (i.e., TLl ), which are applied to the present invention, is the same 

10 as that discussed above. Therefore, a further explanation of the configuration has been omitted 

1 1 for the sake of brevity. 

1 2 [0023] Fig. 3 is a diagram explaining a network management system in connection with an OSI 

13 reference model according to an embodiment of the present invention 

1 4 [0024] Referring to Figs. 1 and 3 , in case of performing a network management operation using 

15 a TLl 110, an operator first enters an ID and a password of the operator for user authentication. 

16 If the user authentication is successful, the operator will have access to an application layer of a 

17 system to be managed via TCP/IP or UDP/IP. At this time, the network management system is 

18 adapted to have access to the application layer via a security module to confirm whether an IP 

19 address of a terminal that the operator is using is a preset IP address. 

20 [0025] That is, a telnet terminal (400) which is a remote management channel via the IP network 

21 (for example, the public network in Fig. 1) has a filtering function in which the IP address of an 

Page 5 of 28 



PATENT 
P56996 

1 Operation terminal, which uses a telnet protocol in addition to an ID/password security device, can 

2 serve as a security key . 

3 [0026] Here, this module is implemented by a very separate task from a "CLI (Command Line 

4 Interface)" task by which a "TLl " function is implemented. 

5 [0027] Elementary security in the SNMPvl and SNMPv2 is realized by the conmiunity, and the 

6 community includes a "read-only" community and a "read- write" community, to which it may be 

7 unusual to permit any modification. 

8 [0028] In this embodiment of the present invention, for the sake of the security of these 

9 communities, modification of each of the communities is allowed only by a "TLl " command. In 

10 other words, it is impossible to read or modify the conmiunities using the "SNMP", and it is 

1 1 therefore necessary for the operator to know the "TLl " conraiand in order to conununicate with 

12 the EMS server 500. When the conmiunity is to be modified, it is also necessary to compromise 

13 with the managing EMS server 500. 

14 [0029] Moreover, when the SNMPvl and SNMPv2 use UDP/IP or TCP/IP, as in the "TLl ", 

15 security is effected via the IP filtering using the IP address of the operator as a key, which is 

16 represented by the MIB in Tables 1 to 1 7. 

1 7 [0030] Table 1 indicates the policy ID of a system for filtering ingress packets. A value of this 

18 object is that of an "entFilterPolicyld" in an "entFilterPoUcyTable." 

19 [0031] Also, 'DEFVAL' accepts all ingress packets. 
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<Table 1> 



entlngressFilterPolicyld OBJECT-TYPE 
SYNTAX INTEGER (0..255) 
MAX-ACCESS read-write 
STATUS current 
DESCRIPTION 

Indicates the policy id of system for filtering ingress packets. 
The value of this object is that of entFilterPolicyld 
inentFilterPolicyTable. 

'DEFVAL* : accept all ingress packets 



DEFVAL { 0 } 
::= {entConfig 13} 



[0032] Moreover, Table 2 indicates the policy ID of a system for filtering egress packets. The 
value of this object is that of the "entFilterPolicyld" in the "entFilterPolicyTable". Also, the 
'DEFVAL' does not discard all egress packets. 
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<Table 2> 



entEgressFilterPolicyld OBJECT-TYPE 
SYNTAX INTEGER (0..255) 
MAX-ACCESS read-write 
STATUS current 
DESCRIPTION 

tl 

Indicates the policy id of system for filtering ingress packets. 
The value of this object is that of entFilterPolicyld 
inentFilterPolicyTable. 

'DEFVAL* : not discard all egress packets 

II 

DEFVAL { 0 } 

::= {entConfig 14} 



[0033] Table 3 contains the filtering policy of the system on ingress/egress packets. A row in this 
table is pointing a row in a protocol table such as an "entFilterlpTable." 
[0034] For creating a row in this table, the row that is pointed by an "entFilterPolicyPointer" 
object is first created. 

[0035] Further, for destroying a row in this table, the row that is pointed by the 
"entFilterPolicyPointer" object is first destroyed. 
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entFilterPolicyTable OBJECT-TYPE 

SYNTAX SEQUENCE OF EntFilterPolicyEntry 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 

tl 

This table contains the fihering policies of system 
on ingress/egress packet. 

A row in this table is pointing a row in protocol table 
such as entFilterlpTable. 

For creating a row in this table, the row that is pointed 
by entPilterPolicyPointer object was first created. 
And for destroying a row in this table, the row that is pointed 
by entPilterPolicyPointer object was first destroyed. 

tl 

{ entConfig 15 } 



[0036] Further, in Table 4, each entry consists of a list of parameters that represent a filtering 
policy on the system. 

<TaWe 4> 



entFilterPolicyEntry OBJECT-TYPE 

SYNTAX EntFilterPolicyEntry 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 

Each entry consists of a list of parameters that 
represents filtering policy on a system. 

tl 

INDEX { entFilterPolicylndex } 
::= { entFilterPolicyTable 1 } 
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1 [0037] Table 5 denotes an index into the "entFilterPolicyTable". 

2 <Table 5> 



3 
4 
5 
6 
7 
8 
9 
10 
11 



entFilterPolicylndex OBJECT-TYPE 

SYNTAX INTEGER(1 ..9) 

MAX-ACCESS read-only 

STATUS current 

DESCRIPTION 
11 

The index into the entFilterPoHcyTable. 

fi 

::= {entFilterPolicyEntry 1 } 



12 [0038] Further, Table 6 indicates the identification of the ingress or egress policy. The same 

13 policy ID could belong to many rows in this table. 

14 <Table 6> 



15 
16 
17 
18 
19 
20 
21 
22 
23 
24 



entFilterPolicyld OBJECT-TYPE 

SYNTAX INTEGER(1 ..255) 

MAX-ACCESS read-create 

STATUS current 

DESCRIPTION 
II 

Indicates the identification of ingress or egress policy. 
A same policy id could belong to many rows in this table. 

II 

::= { entFilterPolicyEntry 2 } 
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[0039] Table 7 represents to a pointer to a row in a protocol table such as the "entFilterlpTable". 
The value is the name of the instance of the first columnar object in the protocol table. 
[0040] For example, "entFilterIpIndex.3 " that is the value of the instance of this object would point 
to the third row in the "entPilterlp" table. 

<Table 7> 



entPilterPolicyPointer OBJECT-TYPE 
SYNTAX RowPointer 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

Represents a pointer to a row in protocol table such as 
entFilterIp table. The value is the name of the instance of the first columnar object in the 
protocol table. 

For example, entFilterIpIndex.3 that is the value of the instance of 
this object would point to the 3rd row in the entFilterIp table. 

II 

::= {entFilterPolicyEntry 3 } 



[0041] Furthermore, an object in Table 8 is used to create a new row, or modify or delete an 
existing row in this table. 

[0042] If the related row of a protocol table such as the "entFilterIp" table wasn*t created, a row 
in this table would not be created. 
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<Table 8> 



entFilterPolicyRowStatus OBJECT-TYPE 
SYNTAX RowStatus 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 



This object is used to create a new row or modify or 
delete an existing row in this table. 

If the related row of protocol table such as entFilterIp table wasn't 
created, a row in this table could have not been created. 

The related row of protocol table should have been first 
Destroyed before a row in this table is destroyed. 

::= { entFilterPolicyEntry 4 } 



16 



17 



[0043] Table 9 contains details of a filter policy over the IP protocol. 

<Table9> 



entFilterlpTable OBJECT-TYPE 

SYNTAX SEQUENCE OF EntFilterlpEntry 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 

ft 

This table contains the details of a filter policy over IP protocol. 
::= { entConfig 16 } 
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[0044] Each entry in Table 10 consists of a list of parameters that represents a filter policy over 
the IP protocol. 

<Table 10> 



entFilterlpEntry OBJECT-TYPE 
SYNTAX EntFilterlpEntry 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 

ft 

Each entry consists of a list of parameters that 
represents a filter policy over IP protocol. 

II 

INDEX { entPilterlpIndex } 
::= { entFilterlpTable 1 } 
entFilterlpEntry ::= SEQUENCE { 

entFilterlpIndex INTEGER, 
entFilterlp IpAddress, 
entFilterlpMask IpAddress, 
entFilterlpPortNum INTEGER, 
entFilterlpProtocol INTEGER, 
entFilterlpControl INTEGER, 
entFilterlpRowStatus RowStatus 

} 
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1 [0045J Table 1 1 indicates the index into the "entFilterlpTable". 

2 <Table 11> 



3 entFilterlpIndex OBJECT-TYPE 

4 SYNTAX INTEGER(1..9) 

5 MAX-ACCESS read-only 

6 STATUS cvirrent 

7 DESCRIPTION 
8 

9 The index into the entFilterlpTable. 

10 

11 ::= { entFilterlpEntry 1 } 



12 



13 



[0046] Table 12 indicates an IP address applied to the filter policy. 

<Table 12> 



entFilterIp OBJECT-TYPE 

SYNTAX IpAddress 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

ft 

Indicates ip address applied to a filter policy. 

It 

DEFVAL { 'OOOOOOOOli } 
::= { entFilterlpEntry 2 } 
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[0047] Table 1 3 indicates a mask of the IP address. When the "entFilterlpProtocol" is a telnet, the 
system always applies 'DEFVAL' to the instance of this object. 

<Table 13> 



entFilterlpMask OBJECT-TYPE 
SYNTAX IpAddress 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

M 

Indicates the mask of ip address. 
When entFilterlpProtocol is telnet, 

system always applies 'DEFVAL' to the instance of this object. 

ft 

DEFVAL { 'ffffffff h } 
::= { entFilterlpEntry 3 } 



[0048] Table 14 indicates an applied port number to the filter policy. 

<Table 14> 



entFilterlpPortNum OBJECT-TYPE 
SYNTAX INTEGER 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

Indicates the applied port number to a filter policy. 

::= { entFilterlpEntry 4 } 
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1 [0049] Table 1 5 indicates a protocol to be applicable to the filter policy. 

2 <Table 15> 



3 
4 
5 
6 
7 
8 
9 
10 
11 



entFilterlpProtocol OBJECT-TYPE 

SYNTAX INTEGER { simip(l), telnet(2), tftp(3) } 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

Indicates the applied protocol over IP protocol to a filter policy. 

If 

::= { entFilterlpEntry 5 } 



12 [0050] In Table 1 6, it is determined whether to discard or accept the packet. 

13 <Table 16> 



14 
15 

16 
17 
18 
19 
20 
21 
22 



entFilterlpControl OBJECT-TYPE 

SYNTAX INTEGER { discard(l), accept(2) } 

MAX-ACCESS read-create 

STATUS current 

DESCRIPTION 
f( 

Determines whether to discard or accept a packet. 

If 

::= { entFilterlpEntry 6 } 
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[0051] This object in Table 1 7 is used to create a new row, or modify or delete an existing row in 
this table. 

<Table 17> 



entFilterlpRowStatus OBJECT-TYPE 
SYNTAX RowStatus 
MAX-ACCESS read-create 
STATUS current 
DESCRIPTION 

tf 

This object is used to create a new row or modify or 
delete an existing row in this table. 

::= { entFilterlpEntry 7 } 



[0052] The filtering operation will be now described by way of MIB objects represented in Tables 
1 to 17. First, a filtering range for the objects in the "entFilterlpTable" is set and thereafter a row 
is created. At this time, the meaning of the "entPilterlpProtocol" can be defined as "a protocol 
over an IP". 

[0053] Here, protocols to be filtered maybe SNMP, Telnet, TFTP (Trivial File Transfer Protocol), 
etc. In the "entFilterlpControl", there exists a value that could be set to indicate whether to discard 
and accept the packet. 

[0054] When the relevant row is used as an egress policy, a request for an SNMP packet is 
accepted while a response packet is not sent out. Of course, it is applied to a trap as well, and 
accordingly a trap packet is also not transferred to the registered EMS server 500. On the other 
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1 hand, when the relevant row is used as an ingress policy, an inverse operation is performed. Once 

2 the row of the "entFilterlpTable" is created, the row of the "entFilterPolicyTable" must be 

3 accordingly created. This table is implemented for providing such versatility that several rows are 

4 contained in one policy. 

5 [0055] In addition, the "entFilterPolicyPointer" is pointing the row of the "entPilterlpTable" 

6 organized as above. Here, the "entFilterPolicyld" is implemented into a structure allowed for 

7 several "rows" to have the same value. Also, values of the "entlngressFilterPolicyld" and the 

8 "entEgressFilterPolicyld" are set. These values affect entire packets communicated between the 

9 system and other equipments. 

10 [0056] Objects represented by Tables 1 to 17 will be now described as a practical instance. 

11 [0057] Fig. 4 illustrates an instance of a filtering table composed using the MIB defined in the 

1 2 present invention. 

13 [0058] Referring to Fig. 4, the filtering table includes a FilterPolicy table Tl consisting of a field 

14 for PolicylD (PID) numbers selected by the operator, a pointer field having pointer values 

15 corresponding to respective PolicylDs, and a row status field indicating status of the relevant 

16 "rows"; and a Filterlp table T2 consisting of an index number field taking pointer values of the 

17 FilterPolicy table Tl as index numbers, an IP field representing an IP address for each relevant 

1 8 row, a mask field enabling to set a group by masking the IP address, a port number field, a protocol 

19 field, a control field, and a row status field. 

20 [0059] Each of the PolicylD field, the pointer field and the row status field in the FilterPolicy table 

21 Tl is of an integer type. However, each of integers of the Policyld field and pointer field means 
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1 a figure itself, while an integer of the row status field has a meaning represented by its figure. 

2 [0060] For example, integers of the status field, 1 , 2, 3 , 4, 5 and 6 are defined to indicate that status 

3 of the "rows" are active, notlnService, notReady, createAndGo, createAndWait and destroy, 

4 respectively. 

5 (00611 Meanwhile, in case of the Filterip table T2, each of the index number filed, the port number 

6 field, the protocol field, the control field and the row status field is of an integer type, while each 

7 of the IP address field and the IP address mask field is of an IP address type (xxx.xxx.xxx.xxx). 

8 However, each of the integers of the protocol field, the control field and the row status field has 

9 a meaning represented by each figure. 

10 [0062] For example, values "1", "2" and "3" of the protocol field are defined to indicate that 

1 1 protocol types are SNMP, Telnet and TFTP, respectively. 

12 [0063] Moreover, values "1" and "2" of the control field are defined to indicate "discard" and 

13 "accept", respectively. 

14 [0064] Also, figures of the row status field are defined in the same manner as the row status field 

15 of the FilterPolicy table Tl . 

16 [0065] Hereinafter, a process will be discussed in which the operator practically performs access 

1 7 permission/denial using the above-described tables. 

18 [0066] Fig. 5 is a flowchart of a security process for an operator access restriction in a network 

19 management system according toan embodiment of the present invention. 

20 [0067] Referring to Fig. 5, first, a policy on how to process the packet is determined and a Policy 

21 Id (PId) for the determined policy is determined (S 1 0). 
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1 [0068] A row, which has a value corresponding to the PId value determined at SIO, is found in 

2 Table 1 (S20). 

3 [0069] A pointer value of the row found at S20 is read (S30), and a relevant row is found in the 

4 Filterip Table T2 taking a pointer value as an index number to process the packet based on 

5 conditions set in the relevant row (an IP address, a mask, a port number, a protocol and an IP 

6 control method) (S40). 

7 [0070] For example, if the Policyld (PId) is determined to be ICQ, it indicates the "row' 

8 corresponding to the index number 1 of the FilterPolicy table 1 . Since the pointer value of the row 

9 corresponding to the index number 1 is " 1 conditions corresponding to the row that corresponds 

10 to the index number 1 of the Filterip table 2 will be carried out. 

1 1 [0071] Accordingly, in a situation that the policy Id is determined as 100, if the operator access 

12 is attempted from a terminal of an IP address different from the IP address set in the first row of 

1 3 the Filterip table, it will be failed. Moreover, although the IP addresses are the same, if the packet 

14 is transmitted and received to and from a port number different from a preset port number 1 6 1 , the 

15 operator access will be also failed. 
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[0072] Subsequently, there is presented in Table 1 8 an instance of a result obtained by performing 
the "TLl " command on community modification and inquiry for the SNMPvl and SNMPv2. 

<Table 18> 

SU-WON> rtrv-community; 
IP C01240 

< 

SU-WON 2002-02-02 01:56:40 
M C01240COMPLD 

"RD=SamsungAcemap,WR=K_SAMSUNG_Acemap2000_set,TR=SS_Acemap_Trap" 
/* RTRV-COMMUNITY; [C01240] */ 



[0073] Where, "RD", "WR" and "TR" mean a "read-only" community, a "read-write" community 
and a "trap" community, respectively. They may be modified and inquired only by the "TLl" 
conraiand. The conmiunities must be modified even in the EMS server 500 so that the EMS server 
500 is managed upon modification. 

[0074] If each community password is modified as above, it results in a different community 
password from a normal password. Accordingly, no community password will be easily exposed 
to others. 

[0075] Although embodiments of the present invention have been described above, those skilled 
in the art will appreciate that various modifications and alternatives of the present invention are 
possible, without departing from the scope and spirit of the invention as defined in the 
accompanying claims. Accordingly, the technique of the present invention covers other 
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1 embodiments of the present invention. 

2 [0076] According to the present invention as described above, it is possible to simply maintain 

3 security upon connection to a network management interface by adding a security module for 

4 performing an IP filtering without upgrading SNMPvl and SNMPv2 into SNMPv3 offering a 

5 security function, in a system having a network management protocol of which a version that is 

6 the same as that of the EMS is being operated. 
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